By Connie Christian, MBA, CPHRM
Facility Risk Management and Patient Safety Advisor

Have you ever noticed that when you click on an ad on a website, social media page, or email, you’ll see ads for that product everywhere online? The reason for this is tracking or marketing pixels, also known simply as pixels.

Pixels are third-party analytical tools embedded in a website’s or email’s HTML code. The pixel contains an external link to the pixel server. When a user visits the website, the HTML code is processed by their browser, follows the external link, and requests the server to download the tracking pixel connected to the content, thus providing a better website user experience and the delivery of relevant ads.[1]

Why is this an issue for healthcare providers and health facilities? 

• Third-party web analytic software installed on provider websites, including patient portals, may expose patient data. The Department of Health and Human Services (HHS) Privacy rule states disclosures of protected health information (PHI) to tracking technology vendors for marketing purposes without individuals’ HIPAA-compliant authorizations would result in impermissible disclosures.

• Exposed patient information may be inappropriately used to target consumers with advertisements related to exposed medical conditions. Such advertisements could promote unproven alternative remedies, redirecting patients from appropriate care.[2] Impermissible disclosure of PHI may also result in identity theft, financial loss, discrimination, stigma, mental anguish, or other serious negative consequences to the reputation, health, or physical safety of the individual or to others identified in the individual’s PHI.[3]

• PHI exposure without business associate agreements (BAAs) could result in fines or legal actions.

• Disclosure of sensitive data may lead to patient (consumer) distrust of providers.

How did tracking pixels move from marketing to general consumers to healthcare consumers?

• Third-party web analytics tools may provide valuable statistics and insights on customer use of a healthcare provider’s websites at little to no cost. However, the practice or facility may be unaware at the time of implementation that the companies providing the software may also use the data to track and profile individuals as they browse the Internet. In many cases, the purpose is to tailor advertisements to the individual.

• Examples of these tools include Adobe Analytics, Google Analytics, and Meta Pixel.

• In June 2022, a report on themarkup.org disclosed that patient portals exposed patient data to Meta (i.e., Facebook) tracking. Specifically, appointment scheduling information was exposed to Meta when some healthcare organizations installed Meta Pixel within MyChart patient portals.                                                       

• Healthcare providers that expose PHI to Meta without a BAA may violate the HIPAA Privacy Rule. Information such as IP addresses are defined as patient identifiers per HIPAA deidentification requirements. HHS is investigating the potential for HIPAA violations.[4]

Risk Management Considerations

• Develop policies governing the use of third-party web analytic tools with information technology, legal, and marketing departments.
  • Review usage agreements of any web analytic tools to determine how all collected data may be used.
  • Do not install third-party web analytic tools on websites containing patient information, such as patient portals, without a BAA in place.
  • Consider indirect indications of medical treatment or conditions that may be inferred from browsing websites, such as searching for a doctor or viewing an online medical library.

• Audit customer-facing web applications for third-party web analytic tools. Consider disabling any that may expose patient data. Online tools are available to identify these tools.

• If data has been inappropriately shared, notify KAMMCO for claims assistance and to comply with breach notification requirements.

Additional Information

Tracking pixels and cookies are very similar and are often used simultaneously. They both serve similar marketing purposes by tracking user activity and behavior. However, the differences are in how the information is delivered and where it’s kept.

• Cookies are dropped on a user’s browser and cannot be followed across devices. Additionally, users can block or clear cookies if they want. Most times, they’re used to store user information for an easier login experience and add multiple items to your cart for a single checkout experience.

• Tracking pixels do not rely on the user’s browser but will send information directly to servers. They can follow users across all their devices, linking marketing efforts across websites and mobile ads. A key difference is pixels cannot be disabled as cookies can.[5]

KAMMCO Resources

• KAMMCO | Cyber Risk Management Resources www.kammco.com/risk-management/risk-management/cyber-risk-management-resources/

Cyber Security Risk and Vendor Management Resources

• The Markup | Facebook Is Receiving Sensitive Medical Information from Hospital Websites https://themarkup.org/pixel-hunt/2022/06/16/facebook-is-receiving-sensitive-medical-information-from-hospital-websites

• The Markup | Real-Time Website Privacy Inspector https://themarkup.org/blacklight

• Patterns, Cell Press Open Access | Health advertising on Facebook: Privacy and policy considerations https://www.cell.com/patterns/fulltext/S2666-3899(22)00172-6

• U.S. Department of Health and Human Services | Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html

• U.S. Department of Health and Human Services | Breach Notification Rule https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html

• U.S. Department of Health and Human Services | Cyber Security Guidance Material https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity/index.html

• JAMA Internal Medicine | Prevalence of Third-Party Tracking on Abortion Clinic Web Pages https://jamanetwork.com/journals/jamainternalmedicine/article-abstract/2796236

---

Sources

[1] CookiePro 2023, What is a tracking pixel? Published 11/17/2021. www.cookiepro.com/knowledge/tracking-pixel/  Accessed 5/2/2023

[2] ECRI 2023, Third-Party Web Analytic Tools Installed on Provider Websites May Expose Patient Data. Published 11/2/2022.  www.ECRI.org Accessed 5/2/2023

[3] HIPPA for Professionals, Guidance, Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates. Published 12/1/2022. https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html Accessed 5/2/2023

[4] ECRI 2023, Third-Party Web Analytic Tools Installed on Provider Websites May Expose Patient Data. Published 11/2/2022.  www.ECRI.org Accessed 5/2/2023

[5] CookiePro 2023, What is a tracking pixel? Published 11/17/2021. www.cookiepro.com/knowledge/tracking-pixel/  Accessed 5/2/2023